How to alert when the "Operating System" value changes for any Computer object in Active Directory
説明
Administrators may want to be alerted when the "Operating System" value changes to a specified version for a Computer object in Active Directory. This type of alert may be useful to monitor if workstations have been upgraded to Windows 10.
対策
Follow these steps to alert when the "Operating System" value changes to a specified version for any Computer object in Active Directory:
Configure Change Auditor to monitor the "Operating System" value for Active Directory Computer objects:
Go to "Administration tab", Click "Auditing" on the bottom left-hand corner, and then click "Attributes" under "Active Directory" on the upper left-hand corner
Highlight "computer" and a list of "Unmonitored Attributes" will be populated in the list below
Locate and highlight the "operatingsystem" attribute and click the Add button
Create a Search to locate Changes in operatingsystem
Go to the Searches tab and create a new Search
On the What tab of the Search, click the drop-arrow next to the Add button and select "Event Class"
Locate the "computer operatingSystem changed" event in the list and highlight it
A "Restriction" box will then appear, put a check mark in "Where the new value contains the following text"
In the corresponding field, enter the operating system name as it would appear in Active Directory. For example, the following would be entered to capture any version starting with Windows 10: Windows 10
Click the Add button
Save the Search
Test the Search to ensure expected results are returned
